REVERSE-PRACTICE-BUUCTF-10
[GWCTF 2019]xxor
elf file, no shell,
clear logic of analyzing main function with ida , first get the input, which is 6 int64 values, then every 2 values are set, call the sub_400686 function to transform, the transformed value is stored in v11, and finally verified v11, verify the input
sub_400686 function, read the 2 values of each group, perform 64 cycles, and put the transformed value back to the original position. The
check function can be used to obtain the 6 values that need to be changed after the input is transformed.
Write inverse Script, the 6 values of v11 can be calculated manually or use python's z3 library to calculate the
v5 type as int32, the initial value is 0, 64 additions must exceed the maximum positive value of int32, but it will be automatically intercepted during the calculation process, so there is no need to special Consider v5, just write the script normally
#include<stdio.h>
__int64 v11[] = {
0xdf48ef7e,0x20caacf4,0xe0f30fd5,
0x5c50d8d6,0x9e1bde2d,0x84f30420 };
__int64 a2[] = {
2,2,3,4 };
void main()
{
for (int i = 0; i <= 4; i += 2)
{
unsigned int v3 = v11[i];
unsigned int v4 = v11[i + 1];
int v5 = 0;
for (int j = 0; j <= 63; j++)
v5 += 1166789954;
for (int j = 0; j <= 63; j++)
{
v4-= (v3 + v5 + 20) ^ ((v3 << 6) + a2[2]) ^ ((v3 >> 9) + a2[3]) ^ 0x10;
v3-= (v4 + v5 + 11) ^ ((v4 << 6) + a2[0]) ^ ((v4 >> 9) + a2[1]) ^ 0x20;
v5 -= 1166789954;
}
if (v5 == 0)
{
v11[i] = v3;
v11[i + 1] = v4;
}
}
for (int i = 0; i < 6; i++)
{
printf("%ld,", v11[i]);
}
}
Run the result and
then use python's long_to_bytes to convert into a string
[HDCTF2019]Maze
exe program, after running, it prompts to get the flag through the maze, there is an upx shell, after ida analyzes the
main function is not recognized as a function by ida, the reason is that the flower instruction
jnz is added to the code to jump to the next instruction. An instruction, where jnz hinders the recognition of ida, you need to nop the entire instruction of
jnz. At text:0040102E, a red address is called, indicating that the red address does not exist in the program, it should be in the correct instruction byte Based on the addition of a few bytes, it becomes unrecognizable by ida, so you need to remove the extra bytes, select the red address, press d to convert to data, and then nop and drop some bytes to see if ida can be able to after nop drop the bytes Recognized as code, and found that after converting to data, nop drops the first byte, and ida can recognize the
effect of removing the flower instruction.
Select the red .text code from the beginning of the main function to the end of the retn instruction, and press p to generate the function. F5 decompilation
Analyze the main function, wsad corresponds to the top, bottom, left, and right, the initial position is [7,0], and the end position is [5,-4].
Find the maze map in the string window, the length is 70, and the guess is 10x7 or 7x10. The initial position and the end position can be known, the map is 7x10, that is, 7 rows and 10 columns, the starting point is at "+", and the ending point is at "F". You can get the flag after walking through the maze.
[WUSTCTF2020]level2
elf file, with upx shell, ida analysis after shelling.
Find the main function in the function window on the left, and you can see the flag in the IDA View-A window
[BJDCTF2020]BJD hamburger competition
Unity game, the old eight secret small burger,
add the ingredients in the correct order to get the flag BJD hamburger competition_Data->Managed->Assembly-CSharp.dll drag into dnSpy to
find the part of the main logic. The
Md5 method will md5 the incoming parameters. Column, uppercase, take the first 20 digits. The
Sha1 method performs sha1 hashing on the incoming parameters. The uppercase
Spawn method verifies the order of feeding. Different ingredients are selected to perform different operations on Init.secret (the initial value is 0). The result of sha1 hashing is compared with the known value, when the same, the program will hash the result of the operation md5 and output it as flag
using System;
using System.Security.Cryptography;
using System.Text;
using UnityEngine;
// Token: 0x02000004 RID: 4
public class ButtonSpawnFruit : MonoBehaviour
{
// Token: 0x0600000A RID: 10 RVA: 0x00002110 File Offset: 0x00000310
public static string Md5(string str)
{
byte[] bytes = Encoding.UTF8.GetBytes(str);
byte[] array = MD5.Create().ComputeHash(bytes);
StringBuilder stringBuilder = new StringBuilder();
foreach (byte b in array)
{
stringBuilder.Append(b.ToString("X2"));
}
return stringBuilder.ToString().Substring(0, 20);
}
// Token: 0x0600000B RID: 11 RVA: 0x00002170 File Offset: 0x00000370
public static string Sha1(string str)
{
byte[] bytes = Encoding.UTF8.GetBytes(str);
byte[] array = SHA1.Create().ComputeHash(bytes);
StringBuilder stringBuilder = new StringBuilder();
foreach (byte b in array)
{
stringBuilder.Append(b.ToString("X2"));
}
return stringBuilder.ToString();
}
// Token: 0x0600000C RID: 12 RVA: 0x000021C8 File Offset: 0x000003C8
public void Spawn()
{
FruitSpawner component = GameObject.FindWithTag("GameController").GetComponent<FruitSpawner>();
if (component)
{
if (this.audioSources.Length != 0)
{
this.audioSources[Random.Range(0, this.audioSources.Length)].Play();
}
component.Spawn(this.toSpawn);
string name = this.toSpawn.name;
if (name == "汉堡底" && Init.spawnCount == 0)
{
Init.secret += 997;
}
else if (name == "鸭屁股")
{
Init.secret -= 127;
}
else if (name == "胡罗贝")
{
Init.secret *= 3;
}
else if (name == "臭豆腐")
{
Init.secret ^= 18;
}
else if (name == "俘虏")
{
Init.secret += 29;
}
else if (name == "白拆")
{
Init.secret -= 47;
}
else if (name == "美汁汁")
{
Init.secret *= 5;
}
else if (name == "柠檬")
{
Init.secret ^= 87;
}
else if (name == "汉堡顶" && Init.spawnCount == 5)
{
Init.secret ^= 127;
string str = Init.secret.ToString();
if (ButtonSpawnFruit.Sha1(str) == "DD01903921EA24941C26A48F2CEC24E0BB0E8CC7")
{
this.result = "BJDCTF{" + ButtonSpawnFruit.Md5(str) + "}";
Debug.Log(this.result);
}
}
Init.spawnCount++;
Debug.Log(Init.secret);
Debug.Log(Init.spawnCount);
}
}
// Token: 0x04000005 RID: 5
public GameObject toSpawn;
// Token: 0x04000006 RID: 6
public int spawnCount = 1;
// Token: 0x04000007 RID: 7
public AudioSource[] audioSources;
// Token: 0x04000008 RID: 8
public string result = "";
}
You can use the online website to solve the original value of the known sha1. If it is 1001
, md5 the 1001, convert it to uppercase, and take the first 20 digits to get the flag.
If you don’t use the online website to solve the sha1 and md5 hashes, write a blasting script
#coding:utf-8
#汉堡底 +=997
#汉堡顶 ^=127
#鸭屁股 -=127 0
#胡罗贝 *=3 1
#臭豆腐 ^=18 2
#俘虏 +=29 3
#白拆 -=47 4
#美汁汁 *=5 5
#柠檬 ^=87 6
import hashlib
#从其他7种材料中选4种 加上汉堡底和汉堡顶 一共6种
for i in range(7):
for j in range(7):
for k in range(7):
for m in range(7):
secret=997 #汉堡底当作第一种材料
if i==0:
secret-=127
elif i==1:
secret*=3
elif i==2:
secret^=18
elif i==3:
secret+=29
elif i==4:
secret-=47
elif i==5:
secret*=5
elif i==6:
secret^=87
if j==0:
secret-=127
elif j==1:
secret*=3
elif j==2:
secret^=18
elif j==3:
secret+=29
elif j==4:
secret-=47
elif j==5:
secret*=5
elif j==6:
secret^=87
if k==0:
secret-=127
elif k==1:
secret*=3
elif k==2:
secret^=18
elif k==3:
secret+=29
elif k==4:
secret-=47
elif k==5:
secret*=5
elif k==6:
secret^=87
if m == 0:
secret -= 127
elif m == 1:
secret *= 3
elif m == 2:
secret ^= 18
elif m == 3:
secret += 29
elif m == 4:
secret -= 47
elif m == 5:
secret *= 5
elif m == 6:
secret ^= 87
secret^=127 #最后加汉堡顶的时候,材料的种数还没有加到6
h = hashlib.sha1()
h.update(str(secret).encode(encoding='utf-8'))
#验证sha1散列
if h.hexdigest() == "DD01903921EA24941C26A48F2CEC24E0BB0E8CC7".lower():
print(secret)
#输出md5散列
h2 = hashlib.md5()
h2.update(str(secret).encode(encoding='utf-8'))
print(h2.hexdigest().upper()[0:20])
operation result
